malwarewikiaorg-20200223-history
JNEC.a
JNEC.a is a ransomware that runs on Microsoft Windows. The interesting part is that the malware author chose an unusual method to deliver the file decryption keys. The ID number unique for each affected computer represents a Gmail address for the delivery of the key. JNEC.a is written in .NET and falling for it starts with extracting the contents of the rigged archive. Behavior The WinRAR exploit enables the author to drop the malware into the Windows Startup folder, so it deploys on the next login. To hide its presence, the author named it “GoogleUpdate.exe,” so it is easily mistaken for Google’s update process. Payload Transmission It spreads through an exploit for the recently reportedcode execution ACE vulnerability in WinRAR called CVE-2018-20250. The vulnerability can be exploited by at least 100 different exploits, which puts over 500 million users at risk. It allows the criminals to deliver the JNEC.a Ransomware Trojan. JNEC.a targets both English and Russian speakers, based on the social engineering tactic used to distribute itself. It is also delivered via corrupted spam email attachments that entice computer users by offering access to nude pictures and pornographic material. It hides itself as a rar file called vk_4221345.rar. The attacker lures victims to decompress the archive through embedding a corrupt and incomplete female picture. Infection When the image is decompressed, it triggers an error and shows an incomplete picture. The error and the picture fragment make everything seem like a technical fault, so the user won’t give it another thought. However, the ransomware is already added to the system. After encrypting a computer, it will generate a Gmail address that victims need to create in order to receive the file decryption key once they pay the ransom. Once executed, the ransomware encrypts data on the computer and appends the .Jnec extension to the file’s original one. JNEC.a infects the following files: .jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, , .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar. The price for the decryption key is 0.05 bitcoins (about $200). The JNEC Ransomware delivers its ransom note in a text file named 'NEC.README.TXT' on the infected computer's desktop. The JNEC Ransomware also opens a program window with the name 'JNEC.a.' The following are the ransom messages that the JNEC Ransomware delivers in its text note and program window ransom notes: The message states: Deposit amount: 0.05 BTC BTC Address: 1JK1gnn4KEQRf8n7pHZiNvmV8WTXfq7kVa Your ID: redacted Your Email: redacted (Create a mail to get the decryption key) Although the address is available in the ransom note, it is not registered yet. This task falls in the hands of the victim if they want to recover their files after paying the ransom. Just to make sure that the victims understand how they can recover their data, the malware author also provides clear instructions about creating specific Gmail address; these are available in a JNEC.README.TXT ransom note that the ransomware drops on an infected computer. Category:Ransomware Category:Win32 ransomware Category:Microsoft Windows Category:Win32 Category:Win32 trojan Category:Trojan